This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Creating custom Event Threat Detection modules in SCC Premium

Posted on 01-23-2024 08:42 AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

In this community post, we’ll take a closer look at creating custom modules for Event Threat Detection (ETD) in Security Command Center Premium.

SCC Premium provides a framework for creating custom modules for ETD using module templates. As an example, we’ll explain how to use the Domains template to craft a custom ETD module to detect communication with a command-and-control (C2) domain associated with the WARPWIRE credential harvester.

In a January 11 blog post, Mandiant researchers detailed a family of malware associated with two disclosed vulnerabilities affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances.  Multiple indicators of compromise (IOCs) are detailed in the research, including a network-based indicator for a domain that serves as the C2 destination for a Javascript-based credential harvester called WARPWIRE.

It’s important to note that SCC Premium already integrates the latest Mandiant Threat Intelligence into Event Threat Detection without any extra action needed by customers.  For this example, we’ll manually create a module for detecting this C2 destination to outline the module creation process in more detail.

From the research provided in the blog post, we see that the C2 beacon associated with WARPWIRE is the domain symantke[.]com, so we can use this information to pivot to SCC Premium and create a custom ETD module.

    vaskenh_0-1706027871311.png

In SCC Premium select Overview, then select Settings.  From the list of modules, select Manage Settings under Event Threat Detection.

  vaskenh_1-1706027871353.png

Select Modules on the next screen, then select Create Module to launch the custom ETD module creation workflow.

  vaskenh_2-1706027871365.png


In this scenario, we’re creating a rule that is designed to trigger on observed communication with a known bad domain.  For this reason we’ll select Domain from the list of available templates, and populate it with a title and the C2 domain we identified earlier.

  vaskenh_3-1706027871868.png

Since we can be confident that communication with this domain is indicative of malicious behavior, we can set the severity of the finding to High and populate it with additional metadata as shown below.  Select Create to save the new custom module.

                                                 vaskenh_4-1706027871363.png
We can now test our custom ETD module. In this scenario, we need to generate DNS logs that show communication with this C2 server, so we’ll do this with a basic curl command.

curl symantke.com

We can then pivot back to SCC Premium and click Findings to see that our activity has triggered the custom rule we created earlier.   

  vaskenh_5-1706027871400.png

Since we manually triggered this finding as part of this scenario, we can select the finding and mute it. 

Event Threat Detection in SCC Premium allows customers to create custom modules based on other types of templates as well, such as the assignment of specific IAM roles to principals, usage of specific compute images as part of provisioning a compute instance, and more.  For more information about ETD, please see our overview.

2 0 167
Topic Labels
0 REPLIES 0